Re: IPtables versus Tcp_wrapper

[Josh Richard <jrichar4 () D UMN EDU>]

On Thu, 2010-03-04 at 12:30 -0500, Valdis Kletnieks wrote:
> On Wed, 03 Mar 2010 17:01:11 CST, Josh Richard said:
> > In any case, are we in agreement that given the choice of one or the
> > other, the preferred method would be iptables as it drops packets?
>
> Important nit - iptables *optionally* drops packets. ;)
>
> Sometimes, it's nice to send back a notice "Yo dood, you're lost".
>
> So to make life easy for various authorized scanners and similar on campus,
> I often do something like this:
>
> -A input -p tcp -s 128.173.0.0/16 --syn -j REJECT --reject-with tcp-reset
> -A input -p tcp -s 198.82.0.0/16 --syn -j REJECT --reject-with tcp-reset
> -A input -p udp -s 198.82.0.0/16 -j REJECT --reject-with icmp-port-unreachable
> -A input -p udp -s 128.173.0.0/16 -j REJECT --reject-with icmp-port-unreachable
> -A input -j DROP
>
> Basically, if it's from one of our two on-campus /16s, and it's TCP, we RST
> back, and for UDP we ICMP back, so the other end gets the "no such port" clue
> in a few milliseconds rather than having to time out.  If you're from off
> campus, you're probably not one of my users, so I don't feel any responsibility
> to make your life easy - you can sit there till you time out. ;)
>
> (Yes, this *is* a slight information leakage to an on-campus attacker, but
> the "play nice with campus" mostly outweighs it in my opinion. )

Valdis, 

That is a reasonable recommendation.  I will consider its use.  The
email list paid for itself today. :)

Not to open the worm can, but given all this discussion about filtering,
how many of us are currently maintaining IPv6 in production?  If so,
please consider the V6 analog to iptables -- ip6tables which allows for
most table manipulation.  Along that line, if you are using V6, how it
is going?

Thanks,

Josh Richard
UofMN Duluth

Attachment: signature.asc
Description: This is a digitally signed message part